updated 12:30 pm EDT, Tue April 10, 2012

Company not communicating with security firms

Apple recently asked a web registrar, Reggi.ru, to shut down a domain belonging to the Russian security firm Dr. Web, the latter company's CEO has revealed. Boris Sharov says the registrar informed him about the request on Monday. Apple's reasoning was that the domain was being used as a command-and-control server for computers infected with the Flashback Trojan. Sharov notes, though that the domain is actually hosting a "sinkhole," a spoofed C&C server used to monitor computers linked in the Flashback botnet.

"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It's just annoying them." He suggests that Apple was making an honest mistake, if one linked to its failure to communicate. "We've given them all the data we have," he comments. "We've heard nothing from them until this."

Dr. Web is best known for calling attention to the size of the Flashback botnet, which recently reached 600,000 Macs. Forbes notes that another security firm, Kaspersky, validated Dr. Web's findings on Friday, but has neither talked to Apple about the matter nor heard anything from the company. A statement from Kaspersky researcher Kurt Baumgartner says that "from what we've seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this."

Sharov is more critical of Apple for taking too long to fix a Java exploit used by Flashback, noting that Oracle solved it over a month ago, and that shutting down a single domain is useless, since there are "dozens" of domains currently running the botnet. Over 1 percent of Macs are thought to be infected, though Flashback is currently being exploited for click fraud, rather than something more serious like credit card theft.

come on, Apple...

I give Dr. Web credit for

putting up a spoofed sink hole and communicating their findings, but by their own acknowledgement, Apple doesn't communicate, so how do they know Apple isn't requesting each of the "dozens" of sites involved be taken down?

Apple

Apple

This whole issue demonstrates two things that are wrong with Apple today: Not shipping fixes in time and not communicating properly internally (apparently) and externally. There is no excuse for not shipping published fixes for bugs in software that come with your machines.

Presumably all of them

Presumably Apple is requesting all the relevant domains be shut down, but of course the security firm is the only one who's going to mention it publicly--not like the botnet owner is going to issue a press release.

And this does highlight the one flaw in Apple's security infrastructure--a lax update schedule. They've been slow to patch things for years, and this time it finally came around to bite them in the rear with an actual exploit.

One does hope they learn their lesson, bigtime, and stay on top of patches in the future.

Also: Why the heck didn't Apple (and the Mozilla crew, for that matter) disable Java by default years ago? Java applets haven't been a useful technology for 99.9% of web users since Java-based chatrooms went out of style a decade ago. For those few who need Java for some corporate app it's not like it'd be hard to give instructions on re-enabling it.

Of course not!

Of course Apple is not going to work with Dr Web or kaspersky! Apple stakes their reputation on the fact Macs are more secure/no viruses/safer/blah blah, and these companies take every opportunity they can to draw attention to the fact that *gasp* there ARE trojans/malware that can attack the Mac. Apple would like nothing more than to shut these companies up and sweep these issues under the rug. Malware? what Malware? :P